here is the sample config for your reference:
The ASA can not inspect HTTPS. You could deny name-resolution for facebook.com or use a proxy-server that can inspect HTTPS-traffic.
You can not block https as the "get-request' for the facebook.com will be encypted. However you can use ASA to block facebook based on your DNS request in case you dns request is passing through the ASA. ASA can inspect that DNS packet and based on regex you can deny that dns request.
In this way user will never be able to connect to facebook.com (3-way handshake).
but if you are using an internal DNS server, ASA won't be receiving the request if it is in same LAN segment.